But is there a real labor shortage?

[Rick Butler]

So I was reading a post on Reddit (here) and it sort of struck a cord with me. I won't repeat the post here - you get to go read it for yourself.

But at the risk of spoiler alert, the author's basic premise is that business leaders are simply making these statements:

• Stop putting all this security stuff in place that makes it harder and harder for me to do business
• Make security more friendly to my budget and we'll talk about it.
• ...oh but make sure to keep our collective butts out of hot water and get us compliant.

So, let me ask, is there really a cyber talent shortage, based on what we see coming through our classrooms? I mean, there are degrees all over the place and kids are enrolling in droves, but are we actually getting the rich cyber talent that we need to form solid blue teams and be able to defend our networks from come what may?

We all know that cybersecurity is the new sexy. It's the bright shiny buzz word surrounded by pictures of people in business attire, in darkened data centers, analyzing the content displayed on a couple of 27" displays with other pictures of some person in a hoodie and Guy Fawkes mask displayed as "the enemy". Little do these star-struck candidates know that if they actually get into a cyber role within five years after graduation (despite what some admissions rep may say), it's going to be filled with menial tasks like filling out hundreds of pages of documentation for compliance and insurance sake, answering tickets for why the password reset tool isn't working, and maybe pouring over the outputs correlated by a SIEM that shows little more than background noise. But hey, sexy things sell, so we have students (which is good for us...but...).

And as a side rant, just yesterday, US President Biden had some kind of conference with cyber leaders where the output seemed to be (at least from just reading the headlines) was, "Hey NIST, we need a new Framework". Why? What's wrong with the old framework? Seems it was just fine, but since we're still seeing cyber attacks (T-Mobile anyone), somehow a new framework would help tamp down all these new cyber threats.

I didn't think so, either.

I think 3_toad_Grizzly has a point. I personally don't see a real cyber shortage. I see a "care" shortage. I still see business leaders out there that don't care about cyber until it bites them in the posterior region and threatens to sap all their corporate profits that they reluctantly start hiring real cyber analysts into their organizations, rather than just the casual relationship with an MSP to solve a specific problem or, more likely, overcome a compliance/insurance hurdle.

Anyway, it seems CIN is a bit quiet this week, so I figure, time to get a good discussion going and earn a few more achievements and XP. Come one, come all...it's a good old fashioned RickRant!

/r

 

[NATUNA]

So I was reading a post on Reddit (here) and it sort of struck a cord with me. I won't repeat the post here - you get to go read it for yourself.

But at the risk of spoiler alert, the author's basic premise is that business leaders are simply making these statements:

• Stop putting all this security stuff in place that makes it harder and harder for me to do business
• Make security more friendly to my budget and we'll talk about it.
• ...oh but make sure to keep our collective butts out of hot water and get us compliant.

So, let me ask, is there really a cyber talent shortage, based on what we see coming through our classrooms? I mean, there are degrees all over the place and kids are enrolling in droves, but are we actually getting the rich cyber talent that we need to form solid blue teams and be able to defend our networks from come what may?

We all know that cybersecurity is the new sexy. It's the bright shiny buzz word surrounded by pictures of people in business attire, in darkened data centers, analyzing the content displayed on a couple of 27" displays with other pictures of some person in a hoodie and Guy Fawkes mask displayed as "the enemy". Little do these star-struck candidates know that if they actually get into a cyber role within five years after graduation (despite what some admissions rep may say), it's going to be filled with menial tasks like filling out hundreds of pages of documentation for compliance and insurance sake, answering tickets for why the password reset tool isn't working, and maybe pouring over the outputs correlated by a SIEM that shows little more than background noise. But hey, sexy things sell, so we have students (which is good for us...but...).

And as a side rant, just yesterday, US President Biden had some kind of conference with cyber leaders where the output seemed to be (at least from just reading the headlines) was, "Hey NIST, we need a new Framework". Why? What's wrong with the old framework? Seems it was just fine, but since we're still seeing cyber attacks (T-Mobile anyone), somehow a new framework would help tamp down all these new cyber threats.

I didn't think so, either.

I think 3_toad_Grizzly has a point. I personally don't see a real cyber shortage. I see a "care" shortage. I still see business leaders out there that don't care about cyber until it bites them in the posterior region and threatens to sap all their corporate profits that they reluctantly start hiring real cyber analysts into their organizations, rather than just the casual relationship with an MSP to solve a specific problem or, more likely, overcome a compliance/insurance hurdle.

Anyway, it seems CIN is a bit quiet this week, so I figure, time to get a good discussion going and earn a few more achievements and XP. Come one, come all...it's a good old fashioned RickRant!

/r

This thread in Reddit is too long. There are lot of information to think. In my view, the real cybersecurity labor is shortage in my country (Vietnam).

 

[Rick Butler]

This thread in Reddit is too long. There are lot of information to think. In my view, the real cybersecurity labor is shortage in my country (Vietnam).

I would probably say there are some areas of the country that are underserved with respect to trained professionals in cyber. But I am starting to not really believe the hyperbole, based on what I see out there, these days (and not coming from the media).

 

[Brian Ford]

Rick,
I believe there is a true cybersecurity workforce shortage.
I refer you to CyberSeek.org for quantitative data points based on US geography.
Beyond that there are many people in cybersecurity roles today who have not refreshed or updated their skills in years. They are in some cases unqualified for the positions they hold. Organizations that they support are vulnerable.
Cybersecurity skills are also rapidly evolving as our technology advances. Beyond 'Pen Testers' , I regularly see ads for cyber jobs looking for IAM, Remote Access, and Cloud skills. A couple of areas I believe are underserved include: security policy & procedural development (cyber management), and Compliance / Audit. In fact I believe that many Pen Test ads should read 'Audit /Compliance'.
Another issue I see is that when I work with young people (18-26 y/o) too many are hesitant to move for work. They would rather stay close to home, parents and friends. Entry level positions pay often isn't enough to get them to move.
Great topic. Thanks for positing it! And on a Friday.
Brian

 

[Lee McWhorter]

There seems to be a real shortage, but bigger problem may be mismatch of skills and experience. Too many 'entry level' cybersecurity jobs ask for too much experience and that is the biggest challenge I see students facing.

 

[Rick Butler]

Beyond that there are many people in cybersecurity roles today who have not refreshed or updated their skills in years. They are in some cases unqualified for the positions they hold.

This one popped up on my radar this week more as a side thing - how success is a liability because it makes people complacent. People get in these cyber roles, let their certs and knowledge go stale, which then brings them that state of being unqualified.

In fact I believe that many Pen Test ads should read 'Audit /Compliance'.

Well, it's that sexy factor that I mentioned.

• Pen Test Ninja/Red Team Operative - Sexy
• Compliance and Auditing Specialist - Yawn

There seems to be a real shortage, but bigger problem may be mismatch of skills and experience. Too many 'entry level' cybersecurity jobs ask for too much experience and that is the biggest challenge I see students facing.

I had a check on that, just this week. I'm looking to hire a couple of temp, part-timers for some very simple IT work, two of the three I interviewed didn't have a single IT cert (not even ITF+).

I think that mismatch is ever-present with HR folks that don't understand what the certs themselves represent; they certainly know the buzzwords of This+ or That+. Maybe they know the distinction between Associate and Professional in cert grade. But it's tough to distinguish between this candidate with no certs and that candidate with no certs before the interview process (which is a drain on HR's time and energy - so they want to make sure they have a crop of folks that won't be a waste of time to interview).

/r

 

[PLeimbach]

Is there a shortage? I am sure there is. But, you also have to consider what people are looking for. When the issues are vetted you can probably cut the numbers significantly. So some of the things I consider after looking at job postings.
1) They want people for entry level positions with 5+ years of experience. Yes, I have seen that more than once.
2) The employer is NOT willing to even speak with someone without experience.
3) They want a top level clearance in a entry level position. Yet, seem to not hire veterans.
4) They want not just a cyber security person but also, a CCIE, Master Level Java Programmer who is proficient in front end development but it is entry level.

And the list goes on and on. Makes it difficult to discuss a career in cyber security with students when they see these postings.

 

[Rick Butler]

Hi Philip:

The HR department is often out of step with what they want in an employee, what they actually need in an employee, and what is available vs what the organization is willing and able to pay for that skill set (which is often at the cheapest possible). Often, they do not understand what the certifications are - they're just buzzwords, when making hiring decisions or qualifying candidates.

This is one of the factors why we're seeing IT professionals getting undercut in salary - which we're seeing waning in the light of an increase in costs of living.

Know what you're worth and don't settle for anything less, y'all.

/r